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DETAILED ACTION 



Drawings 



2. 



The drawings are objected to because descriptive text labels are not shown. A proposed 
drawing correction or corrected drawings are required in reply to the Office action to avoid 
abandonment of the application. The objection to the drawings will not be held in abeyance. 



Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 1 19(a)- 
(d). However, the reference to foreign priority Application No. 9904841-5 at the first 
sentence of the specification is not required and must be cancelled. See MPEP 608.01 



The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

Claim 13 is rejected under 35 U.S.C. 1 12, second paragraph, as being indefinite for failing to 

particularly point out and distinctly claim the subject matter which applicant regards as the 

invention. Claim 13 recites, "...a regular expression in a wildcard expression..." in line 2. 

It is unclear what is the regular expression in a wildcard expressing and how matching is 

performed based upon a regular expression in a wildcard expression. 



Specification 



Claim Rejections - 35 USC § 112 
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Claim Rejections - 35 USC §103 



The following is a quotation of 35 U.S.C 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

4. Claims 1-17 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Hoke 

(U.S. 6,701,437) in view of Wesinger (U.S. 5,898,830). 

Regarding claims 1 and 20, Hoke f 437 discloses a device (see FIG. 1, a combined 
system of VPN unit 115 and the router 114) which performs the method arranged to 
establish a connection between a first computer (see FIG. 1, end stations 111-113) of a first 
computer network (see FIG. 1, LAN 110) and a resource (see FIG. 1, end stations 121- 
123,171-173, 181-182, or 131-132) of a second computer network (see FIG. 1, LAN 
130,120, or 170) via a third network (see FIG. 1, Public Network 100), along a route 
through the device having an interface to the first computer network (see FIG. 1, the 
combined system of VPN unit and router 114 have an interface to LAN 110), and 
through a gateway (see FIG. 1, a combined system of VPN unit 125/135 and the router 
124/134) intervening between the second computer network and the third network, the 
resource belonging to the domain of the gateway (see FIG. 1, end stations 121-123,171-173, 
181-182, or 131-132 are in the domain of LAN 120, or 170) wherein the device comprises: 

means arranged to configure a tunnel from the device to the gateway (see FIG. 3, 
Step 350,160; see col. 11, lines 5-32; note that VPN unit provisions/configures a tunnel 
toward the combined a combined system of VPN unit 125/135 and the router 124/134), 



•Application/Control Number: 09/75 1,013 Page 4 

Art Unit: 2661 

means arranged to map the tunnel (see FIG. 2, Tunnel 230) with a requester (see 
FIG. 1, ESI 12, end station 112) and a domain name of the gateway (see FIG. 2, 
Destination 234 is the domain name/address of VPN unit 125; see col. 9, lines 19-34; 
note that a tunnel is arranged/provisioned to map/encapsulate with the end station 112 
and the name/address of the remote VPN unit 125), 

means arranged to receive a request, issued by the requester, via the interface for a 
connection from the first computer to the resource by specifying a name of the resource (see 
FIG. 2, ES131, the name/address of the end station 131; see FIG. 3, steps 300, 310, 330; 
see coL 10, lines 44-54, col. 11, lines 6-12; note that VPN unit receives a packet which 
requests to route by the source end station computer (i.e. requester) via the LAN 
interface connection, and the packet specifies a destination address/name of end 
station), 

means arranged to use a rule for matching the name of the resource with the gateway 
(see FIG. 2, steps 340,350; see col. 11, lines 11-19, 24-28; note that the VPN unit 
performs/uses the VPN policy rules to translates/matches/identifies between destination 
end station and the appropriate destination VPN unit), 

means arranged to map the name of the resource to the tunnel (see FIG. 2, the 
destination name/address of ES131; see col. 9, lines 19-34; note that a tunnel 230 is 
arranged/provisioned to map/encapsulate the destination name/address of the end 
station), 

means arranged to return a temporary IP number to the first computer (see col. 12, 
lines 44-52; note that since source end station utilizes the client pool EP address/number 
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(i.e. temporary IP address) to communicate with the remote end station, the VPN unit 
must have informed/returned the client pool IP address/number to the source end 
station), 

means arranged to map the temporary IP number to the name of the resource (see 
FIG. 5, steps 510,512,514,516,518; see coL 12, lines 32-55, col. 13, lines 1-5,21-49; note 
that the client pool IP address/number is mapped/assigned dynamically/temporarily for 
a period of time (i.e. temporary IP address) to the remote/destination address/name), 

means arranged to cooperate with the gateway administrating the handling of data 
packets such that data packets addressed by the first computer to the temporary IP number, 
arriving through the tunnel at the gateway, are routed to the resource (see FIG. 4, steps 400, 
410, 430, 40, 450, 460; see FIG. 5, steps 506, 508, 510; see col. 11, lines 33-39, 65-67, see 
col. 12, lines 1-19; see col. 13, lines 22-35; note the remote VPN unit performs as a 
gateway to handle/manage the arrived encapsulated packets via the tunnel so that the 
encapsulated packets addressed by the source end station to the client pool IP address 
are routed to the destination end station), 

means arranged to cooperate with the gateway administrating the handling of data 
packets such that data packets arriving from the resource destined to the first computer, are at 
the gateway routed through the tunnel to the first computer via the device (see FIG. 3, steps 
300,310,330,340,350,360; see coL 10, lines 43-59, col. 11, lines 5, lines 6-33; see FIG. 4, 
steps 400, 410, 430, 40, 450, 460; see col. 11, lines 33-39, 65-67, see col. 12, lines 1-19; 
note the remote VPN unit performs as a gateway to handle/manage the packets 
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arriving from the source end terminal destined to the destination end terminal are 
encapsulated and routed through the tunnel to the source end station via VPN unit). 

Hoke'437 does not explicitly disclose means arranged to return a temporary IP 
number to the first computer in answer to the request. 

However, the above-mentioned claimed limitations are taught by Wesinger f 830. In 
particular, Wesinger'830 teaches a device (see FIG. 1, a combined system of Firewall and 
virtual host 105/107) means arranged to receive a request, issued by the requester (see FIG. 
1, Client C), via the interface for a connection (see FIG. 1, Connection via network 
segment 102) from the first computer (see FIG. 1, Client Computer C) to the resource (see 
FIG. 1, host computer D) by specifying a name of the resource (see col. 9, lines 15-17; note 
that client C initiates/requests a connection to host D by using the name/address of host 



means arranged to return a temporary IP number (see FIG. 1, Virtual Host 105b) to 
the first computer in answer to the request (see col. 7, lines 20-24; see col. 12, lines 28-38; 
note that the combined system of firewall and virtual host returns the 
virtual/temporary host IP address (i.e. temporary IP number) to the client C in 
response/answer to the request), 

means arranged to map the temporary IP number to the name of the resource (see col. 
10, lines 50-65; note that virtual/temporary host BP address is mapped to the name of 
the remote host name), 

means arranged to cooperate with the gateway (see FIG. 1, a combined system of 
Firewall and virtual host 155/157) administrating the handling of data packets such that 
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data packets addressed by the first computer to the temporary IP number, arriving through at 
the gateway, are routed to the resource (see col. 9, lines 25-29, see col. 10, lines 61-60, see 
col. 12, lines 9-23, see col. 13, lines 25-35; note that the combined system of firewall and 
virtual host performs as a gateway to handle/manage the arrived packets by decryption 
and re-mapping so that the packets addressed by the client station to the host 
name/address are routed to the host station accordingly). 

In view of this, having the system of Hoke'437 and then given the teaching of 
Wesinger'830, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to modify the system of Hoke'437, by providing a temporary/virtual 
host address in response to a request, as taught by Wesinger'830. The motivation to combine 
is to obtain the advantages^enefits taught by Wesinger'830 since Wesinger'830 states at col. 
3, line 48-53 that such modification would provide a firewall that achieves both maximum 
network security and maximum user convenience. 

Regarding claim 2, the combined system of Hoke'437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches transmitting a message with the mapping of the temporary IP 
number to the gateway by means of the tunnel (see col. 9, lines 19-34; note that a tunnel is 
arranged/provisioned to map/encapsulate with the name/address of the remote end 
station and remote VPN unit name/address. Also, see col. 12, lines 32-55, col. 13, lines 1- 
5,21-49; note that the client pool IP address/number is mapped/assigned 
dynamically/temporarily) to the remote/destination address/name. Thus, it is clear that 
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a tunnel message with client pool EP address/number of the remote end station and 
remote VPN unit address/name is transmitted via the tunneling). Wesinger f 830 also 
teaches transmitting a message with the mapping of the temporary IP number to the gateway 
(see col. 9, lines 5-25, see col. 10, lines 49-65; note that during the DNS queries, a 
message is transmitted with the mapping of virtual host address/name/number between 
the combined system of virtual hosts and the firewalls). 

Regarding claim 3, the combined system of Hoke'437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches directing the intermediate system to translate, source addresses 
of data packets addressed to the temporary IP number, to be sent through the tunnel (see col. 
12, lines 43-62; see col. 13, lines 22-35; note the VPN unit maps/translates the source 
addresses of the end stations addressed to the remote client pool IP/number to send 
through the tunnel). Wesinger'830 also teaches directing the intermediate system to 
translate source addresses of data packets addressed to the temporary IP number (see col. 9, 
lines 15-30, col. 10, lines 52-54; note that the combined system of firewall and virtual 
host translates/maps the source addresses of packets addressed to the client 
virtual/temporary IP host address/number). 

Regarding claim 4, the combined system of Hoke'437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches directing the intermediate system to translate destination 
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addresses of data packets addressed to the temporary IP number to be sent through the tunnel 
(see coL 12, lines 43-62; see col. 13, lines 22-35; note the VPN unit 115 maps/translates 
the destination addresses of the end stations addressed to the remote client pool 
IP/number to send through the tunnel). 

Hoke'437 does not explicitly discloses translating by utilizing the DNS function. 

However, the above-mentioned claimed limitations are taught by Wesinger'830. In 
particular, Wesinger f 830 also teaches directing the intermediate system to translate, 
destination addresses of data packets addressed to the temporary IP number, by means of at 
least a partial DNS function in the intermediate system (see col. 9, lines 15-30, col. 10, lines 
52-54; note that the combined system of firewall and virtual host translates/maps, the 
destination addresses of packets addressed to the client virtual/temporary IP host 
address/number, by utilizing DNS/DDNS table/function) 

In view of this, having the system of Hoke'437 and then given the teaching of 
Wesinger'830, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to modify the system of Wesinger'830, by utilizing DNS 
table/function to perform address translation, as taught by Wesinger'830, for the same 
motivation as stated above in Claim 1. 

Regarding claim 5, the combined system of Hoke ! 437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches the gateway translating source addresses of data packets 
arriving through the tunnel addressed to the temporary IP number and routing these data 
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packets to the resource (see FIG. 5, step 510; see coL 13, lines 22-35; note the VPN unit 
maps/translates/changes the real source addresses arriving via the tunnel addressed to 
the client pool IP address/number, and routes towards the end station. Wesinger'830 
also teaches the gateway translating source addresses of data packets addressed to the 
temporary IP number and routing these data packets to the resource (see col. 9, lines 25-29, 
see col. 10, lines 61-60, see col. 12, lines 9-23, see col. 13, lines 25-35; note that the 
combined system of firewall and virtual host translates/maps the source addresses 
addressed to the virtual/temporary host IP address/number, and routes towards the 
host/client accordingly). 

Regarding claim 6, the combined system of Hoke'437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches the gateway translating destination addresses of data packets 
arriving through the tunnel addressed to the temporary IP number and routing these data 
packets to the resource (see FIG. 5, step 510; see coL 13, lines 22-35; note the VPN unit 
115 maps/translates/changes the real destination addresses arriving via the tunnel 
addressed to the client pool IP address/number, and routes towards the end station. 
Wesinger'830 also teaches the gateway translating destination addresses of data packets 
addressed to the temporary IP number and routing these data packets to the resource (see col. 
9, lines 25-29, see col. 10, lines 61-60, see col. 12, lines 9-23, see col. 13, lines 25-35; note 
that the combined system of firewall and virtual host translates/maps the destination 
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addresses addressed to the virtual/temporary host IP address/number, and routes 
towards the host/client accordingly). 

Regarding claim 7, the combined system of Hoke , 437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches the gateway translating source and destination addresses of data 
packets arriving from the resource destined to the first computer (see FIG. 2, Source and 
destination addresses of packets 240 are translated to VPN network addresses), and 
routing these data packets through the tunnel to the first computer via the intermediate 
system (see FIG. 3, steps 300,310,330,340,350,360; see col. 10, lines 43-59, col. 11, lines 
5, lines 6-33; see FIG. 4, steps 400, 410, 430, 40, 450, 460; see col. 11, lines 33-39, 65-67, 
see col. 12, lines 1-19; note the remote VPN nnit translates the addresses of the packets, 
arriving from the remote end terminal destined the source end terminal, to the network 
addresses and routed through the tunnel to the source end station via VPN unit). 



Regarding claim 8, the combined system of Hoke'437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke f 437 further teaches directing the intermediate system to translate source and 
destination addresses of data packets (see FIG. 2, Source and destination addresses of 
packets 240 are translated from VPN network addresses), arriving from the resource via 
the tunnel destined to the first computer (see FIG. 3, steps 300,310,330,340,350,360; see 
col. 10, lines 43-59, col. 11, lines 5, lines 6-33; see FIG. 4, steps 400, 410, 430, 40, 450, 
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460; see col. 11, lines 33-39, 65-67, see coL 12, lines 1-19; note the VPN unit translates 
the source and destination addresses of the packets from the VPN network addresses 
arriving from the remote end terminal via the tunnel destined to the source terminal). 

Regarding claim 9, the combined system of Hoke f 437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches wherein the third network is a telecommunications network 
(see FIG. 1, public network 100; see col. 6, lines 50-54; note the public network is the 
telecommunication network). 

Regarding claim 10, the combined system of Hoke'437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches wherein the third network is Internet (see FIG. 1, public 
network 100; see coL 6, lines 50-54; note the public network is the Internet). 

Regarding claim 11, the combined system of Hoke'437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches wherein the rule for matching the name of the resource with the 
gateway is based on a mapping (see FIG. 2, steps 340,350; see col. 11, lines 11-19, 24-28; 
see col. 8, lines 37-44; note that the VPN unit performs/uses the VPN policy rules to 
translate/map/identify between destination end station and the appropriate destination 
VPN unit). 
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Regarding claim 12, the combined system of Hoke f 437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches wherein the rule for matching the name of the resource with the 
gateway is based on a list of hosts (see FIG. 2, steps 340,350; see col. 11, lines 11-19, 24- 
28; see col. 8, lines 37-44; note that the VPN unit performs/uses the VPN policy rules to 
translate/map/identify between destination end station and the appropriate destination 
VPN unit and the translation/mapping is based upon lookup table which contains list of 
end terminals). 

Regarding claim 14, the combined system of Hoke'437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches wherein the rule for matching the name of the resource with the 
gateway is based on matching a domain name of the name of the resource with the domain 
name of the gateway (see FIG. 2, steps 340,350; see col. 11, lines 11-19, 24-28; see col. 8, 
lines 37-44; note that the VPN unit performs/uses the VPN policy rules to 
translate/map/identify between VPN network name/address of the name/address 
destination end station and the appropriate destination VPN unit). Wesinger'830 
discloses wherein matching a domain name of the name of the resource with the domain 
name of the gateway (see col. 9, lines 4-14; col. 10, lines 46-65; note that domain 
name/address of the name/address of the client is matched/mapped to the domain name 
of the firewall). 
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Regarding claim 15, the combined system of Hoke'437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches authenticating the requester at the first computer for access to 
the tunnel (see coL 2, lines 46-55; see col. 8, lines 37-44; note that the VPN unit 
authenticates the end station (i.e. requester) by utilizing the lookup table in order to 
access the tunnel). 

Regarding claim 16, the combined system of Hoke'437 and Wesinger'830 discloses 
all aspects of the claimed invention set forth in the rejection of Claim 1 as described above, 
and Hoke'437 further teaches wherein the name of the resource corresponds to a second 
computer (see FIG. 1, computer Terminals 121-123, 181-182, or 131-132) within the 
second computer network, the second computer belonging to the domain of the gateway (see 
FIG. 1, domain name/address of LAN 120, 170, or LAN 130) and comprising the resource 
(see FIG. 1, computer Terminals 121-123, 181-182, or 131-132 comprises the resources); 
see col. 5, lines 65 to col. 6, lines 20. 

Regarding claim 17, Hoke f 437 discloses wherein the gateway administrating the 
handling of data packets such that data packets addressed by the first computer to the 
temporary IP number, arriving through the tunnel, are routed to the resource set forth in the 
rejection of Claim 1 and 16 as described above. Hoke'437 further discloses resources residing 
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on the second computer (see FIG. 1, computer Terminals 121-123, 181-182, or 131-132 
comprises the resources); see col. 5, lines 65 to col. 6, lines 20. 



Allowable Subject Matter 

5. Claims 1 8 and 19 are objected to as being dependent upon a rejected base claim, but would 
be allowable if rewritten in independent form including all of the limitations of the base 
claim and any intervening claims. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ian N Moore whose telephone number is 703-605- 1 53 1 . The 
examiner can normally be reached on M-F: 9-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ricky Ngo can be reached on 703-305-4798. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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